Hacking an autonomous vehicle – Common attacks and vulnerabilities


Autonomous vehicles (AVs) incorporate several key technologies to enable driverless, safe, and efficient transportation. They use sensor technology and advanced driver assistance systems to survey the environment, along with some predetermined knowledge, to plan vehicle activity.

This process involves complex and real-time communication between vehicles and infrastructure, sharing data such as position, speed of movement, etc. This connectivity supports subsequent automation, which reassigns the functions previously performed by humans to technology.

Though AV technology is advancing rapidly, security and reliability are still uncertain and debatable. A malicious actor can get unauthorized access to the AV by hacking one of the many electronic components known to have been hacked in the past.

Since the technology is in the nascent stage in both hardware and software and is not yet rigorously tested, autonomous vehicles can be prone to bugs and vulnerabilities. This creates a window of opportunities for hackers to launch adversarial attacks, like hacking ECUs, GPS spoofing, modified traffic signs, exploiting software vulnerabilities by plugging in a malicious device, and injecting false bits CAN, and altering sensor values. Connectivity to the internet also leads to the potential threat.

Imagine a vehicle is compromised by hackers, and they take control of brakes, acceleration, and even steering when someone is sitting inside the vehicle. How worse can it get?

One such incident happened with a Jeep Cherokee in 2015, while it was driving down the interstate at 70 m.p.h. The hackers took over vehicle functions, from the windshield wipers to disabling the accelerator, causing the vehicle to halt on a crowded interstate highway. All was possible by remotely hacking its Uconnect system, which was installed in hundreds of thousands of FiatChrysler vehicles to control the entertainment and navigation features.

The hackers of this incident were located 10 miles away. Still, their use of cellular data as a hacking entry point meant they could have reached vehicles across the country. This hack occurred in a non-autonomous vehicle, and the risks would have amplified if the vehicle was more connected, and there was nobody in the driver’s seat to retake the control. Conventional vehicles can simply protect themselves by limiting connections to the outside world, but AVs do not have that luxury.

This post will look at some of the possible cyberattacks, exploiting the vulnerabilities in various sensors, Vehicular Adhoc Network (VANET), and hardware.

1. Global Positioning System (GPS)

AVs use GPS to accurately locate and navigate the vehicle. To ensure seamless GPS data streaming, several satellites work together in the public domain, making it easy for any device to access the data anywhere and anytime. This provision of free data access with a transparent architecture is counterproductive since hackers can mislead or manipulate the data to route the vehicle in the wrong direction.

This can lead the passengers to a potentially dangerous security and safety crisis. Misleading GPS signals is known as GPS spoofing or jamming, where the hackers transmit wrong or unrealistic signals. As the strength of the unrealistic signal increases, GPS receivers, which are programmed to receive stronger signals, accept the signals and gradually the deviate the vehicle from the desired target.

2. Inertial Measurement Unit (IMU)

An inertial measurement unit (IMU) is a device that measures the velocity, acceleration, and orientation of a vehicle, using a combination of accelerometers and gyroscopes. It also monitors the changes in the environmental dynamics like the gradient and steepness of a road. Malicious modification or interference with IMU data can cause false-positive recognition of the road conditions, causing the vehicle to move slowly. This can slow down the entire traffic flow.

3. Light Detection and Ranging (LiDAR)

LiDAR (Light Detection and Ranging) is a remote sensing system that creates a 3D map of the environment by emitting light pulses in a pulsed laser. LiDAR measures the time light takes to travel to and from the vehicle and determines the distance to an obstacle. The system can be comprised if an attacker shines a laser beam at the sensor, fooling the LiDAR into “seeing” a nonexistent obstacle. It makes the vehicle to slow down or stop.

4. V2X Network Attacks

Vehicle-to-everything (V2X) communication is a technology that enables data exchange between a connected vehicle, other cars, infrastructure, cloud, and external devices like smartphones, using Wi-Fi, Bluetooth, and GSM protocols. These protocols are known to contain bugs and vulnerabilities which attackers can exploit. These communications can expose the network access points, and the vehicle could start communicating with a miscellaneous server.

5. V2V Network Attacks

Vehicle-to-Vehicle (V2V) network opens up a communication channel between a host vehicle and adjacent vehicles to transmit information about overtaking, lane changing, speed, location, travel route, braking, and stability.

The drawback of V2V communication is the use of insecure and unencrypted protocols. An attacker can launch an impersonation attack that consists of a malicious car connecting with the host vehicle with a false identification by spoofing. After establishing communication, the false car sends malicious code to capture sensitive information like authentication keys.

6. V2I Network Attacks

Vehicle-to-Infrastructure (V2I) communication enables autonomous vehicles to communicate with surrounding infrastructure systems, such as intelligent traffic signs and lights, and cellular network nodes, establishing a channel for receiving and transmitting the information. This can be compromised, infected, and impersonated by an attacker, gaining access through a backdoor into the vehicle network and ECUs.

7. OBD port-based Attacks

Onboard diagnostics (OBD) and OBD ports, which are present in all vehicles since 2008, interact with the ECU’s communicating through the CAN bus and collect the vehicle’s diagnostic data that contains information about vehicle faults and performance.

The OBD is an external hand-held device like USB connected to the vehicle through a port below the dashboard opposite the adjacent driver seat. Hackers can then exploit and manipulate the transferred data and inject malicious code into the vehicle network.

8. ECU Firmware Tampering Attack

Engine Control Unit (ECU) is an electronic control module for the sensors and actuators in a vehicle. A typical vehicle consists of more than 100 ECUs, and the proprietary code inside the ECUs makes it safe and secure.

The attackers can modify the ECU memory and security keys, using hashing techniques and authentication of software updates. They reflash the ECU with custom firmware manipulating its state and inducing malicious and unintended actions, using the external interface. This attack is called a direct access attack because it has direct physical access to the ECU.

9. Rogue Updates

Rogue updates of the firmware in a vehicle occur due to the manufacturers’ lack of proper safety and security updates. They allow hackers to provide enough security weakness to introduce malware and control the firmware of the vehicle. The rogue updates can happen in two ways, through Physical or Remote Access.

In Physical Access, the hackers can directly exploit the sensor data, control, and communication modules. Remote access is done through different connections like Wi-Fi, Bluetooth, 4G, etc.

Let’s sum up. Cybersecurity for autonomous vehicles is the most dynamic research and development area as the attacks can get sophisticated day by day with attackers finding new ways and tools to deceive and hack the vehicle.

Though autonomous vehicle development is growing rapidly, the security aspect of the vehicle is not receiving deserved attention, as many countries are trying to bring autonomous vehicles on the road soon. This may become a serious threat to autonomous vehicle security and adoption. Researchers should come forward to join hands for collaborating and proactively giving priority to cybersecurity at design and development stages.